I have LDAP agent authentication working fine from a single domain (well, password sync - agents still need to be created in the database first which as I understand is normal behavior and don't have a problem with it), however not sure how to proceed for child domains. Most of our agents and users are in trusted child domains from the root forest. Documentation seems to be a little sparse in dealing with this situation. Regarding customer authentication, even from testing from an account in the root forest domain I have yet to get this working. I receive "Login failed! Your username or password was entered incorrectly." when trying to login to a customer portal from a verified AD account. I can select LDAP from the drop-down in adding a customer from the web admin, but no current user in the domain can log in. From what I've read there shouldn't be a need to have an internal account already created for the customer portal. Here's the relevant portion of my config.pm. My root domain is testprod.com, GC controller is test-dc1.testprod.com. OTRS access account is a member of domain users and builtin\Windows Authorization Access Group Properties. Anything jump out as improperly configured? Domain is Server 2008 SP2. #LDAP Authentication for Production Forest #Agent Authentication $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP'; $Self->{'AuthModule::LDAP::Host'} = 'test-dc1.testprod.com'; $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=testprod,dc=com'; $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Access,cn=Users,dc=testprod,dc=com'; $Self->{'AuthModule::LDAP::SearchUserPw'} = '*******!'; #LDAP Authentication - Customer $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP'; $Self->{'Customer::AuthModule::LDAP::Host'} = 'test-dc1.testprod.com'; $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=testprod,dc=com'; $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName'; $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Access,cn=Users,dc=testprod,dc=com'; $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = '********!'; #LDAP Getting Customer User Information # CustomerUser # (customer user ldap backend and settings) $Self->{CustomerUser} = { Name => 'LDAP Data Source', Module => 'Kernel::System::CustomerUser::LDAP', Params => { # ldap host Host => 'test-dc1.testprod.com', # ldap base dn BaseDN => 'dc=testprod,dc=com', # search scope (one|sub) SSCOPE => 'sub', # # The following is valid but would only be necessary if the # # anonymous user does NOT have permission to read from the LDAP tree UserDN => 'cn=OTRS Access,cn=Users,dc=testprod,dc=com', UserPw => '********!', # in case you want to add always one filter to each ldap query, use # this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter => '(objectclass=user)' AlwaysFilter => '', # if your frontend is e. g. iso-8859-1 and the charset of your # ldap server is utf-8, use these options. # SourceCharset => 'utf-8', # DestCharset => 'iso-8859-1', # if both your frontend and your LDAP are unicode, use this: # SourceCharset => 'utf-8', # DestCharset => 'utf-8', # Net::LDAP new params (if needed - for more info see perldoc Net::LDAP) Params => { port => 389, timeout => 120, async => 0, version => 3, }, }, # customer unique id CustomerKey => 'uid', # customer # CustomerID => 'mail', CustomerUserListFields => ['cn', 'mail'], CustomerUserSearchFields => ['uid', 'cn', 'mail'], CustomerUserSearchPrefix => '', CustomerUserSearchSuffix => '*', CustomerUserSearchListLimit => 250, CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], # show not own tickets in customer panel, CompanyTickets CustomerUserExcludePrimaryCustomerID => 0, # add an ldap filter for valid users (expert setting) # CustomerUserValidFilter => '(!(description=locked))', # administrator can't change customer preferences AdminSetPreferences => 0, # # cache time to live in sec. - cache any database queries # CacheTTL => 0, Map => [ # note: Login, Email and CustomerID are mandatory! # var, frontend, storage, shown (1=always,2=lite), required, storage-type, http-link, readonly [ 'UserSalutation', 'Title', 'title', 1, 0, 'var', '', 0 ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var', '', 0 ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var', '', 0 ], [ 'UserLogin', 'Username', 'uid', 1, 1, 'var', '', 0 ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var', '', 0 ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var', '', 0 ], # [ 'UserCustomerIDs', 'CustomerIDs', 'second_customer_ids', 1, 0, 'var', '', 0 ], [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var', '', 0 ], [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var', '', 0 ], [ 'UserComment', 'Comment', 'description', 1, 0, 'var', '', 0 ], ], };